As you point out, there are a few different ways that signing policy can
handle services. You can make the service name a "selector", or use a
tag similar to s= in the policy record. The latter doesn't scale as
well to large numbers of services, but the SSP records are short to
begin with, and I can't think of enough services to run out of UDP-space
for the policy.
For a new service that always signs and discards unauthenticated
traffic, policy could be embedded in each selector. A global policy,
with a well-defined namespace is only needed if unauthenticated
traffic is possibly acceptable.
Mark.
_______________________________________________
ietf-dkim mailing list
http://dkim.org